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SAE  AADL  Standard 
An  Enabler  of  Predictable  Model-Based 

System  Engineering 

•  Notation  for  specification  of  task  and  communication 
architectures  of  Real-time,  Embedded,  Fault-tolerant, 
Secure,  Safety-critical,  Software-intensive  systems 

•  Fields  of  application:  Avionics,  Automotive, 

Aerospace,  Autonomous  systems,  ... 

•  Based  on  1 5  Years  of  DARPA  funded  technologies 

•  Standard  approved  by  SAE  in  Sept  2004 

•  www.aadl.info 
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SAE  AS-2C  AADL  Subcommittee 

•  Bruce  Lewis  (US  Army  AMRDEC):  Chair 

•  Peter  Feiler  (SEI):  technical  lead,  author  &  editor 

•  Steve  Vestal  (Honeywell):  co-author 

•  Ed  Colbert  (USC):  UML  Profile  of  AADL 

•  Joyce  Tokar  (Pyrrhus  Software):  Ada  &  C  Annex 
Other  Voting  Members 

•  Boeing,  Rockwell,  Honeywell,  Lockheed  Martin, 
Raytheon,  Smith  Industries,  General  Dynamics, 
Airbus,  Axlog,  European  Space  Agency,  TNI, 
Dassault,  EADS,  High  Integrity  Solutions 

Coordination  with 

•  NATO  Aviation,  NATO  Plug  and  Play,  French 
Government  COTRE,  SAE  AS-1  Weapons  Plug  and 
Play,  OMG  UML  &  SysML 
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Potential  Users 


New  System  Engineering  Approach 
incorporates  AADL 


Airbus 
European  Space  Agency 
Rockwell  Collins 
Lockheed  Martin 
Smith  Industries 
Raytheon 
Boeing  FCS 
Common  Missile 
System  Plug  and  Play 


Modeling  of  Satellite 
Systems,  Architecture 
Verification  -  ASSERT 


Modeling  of  Avionics 
Computer  System 

Embedded  System 
Engineering  &  AADL 


Apply  AADL  for  systems 
^^^integration  modeling  &  analysis 


NATO/SAE  AS1  Weapon 
System  Integration 
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AADL-Based  Engineering 


System  Analysis 

•  Schedulability 

•  Performance 

•  Reliability 

•  Fault  Tolerance 

•  Dynamic  Configurability 

Architecture 
Modeling 

Abstract,  but 
Precise 


Software 

System 

Engineer 


Target 
Recognition 

Guidance 
&  ConlmL 


System  Integration 

•Runtime  System  Generation 

•  Application  Composition 

•  System  Configuration 


Predictive 
Embedded 
System 
Engineering 

Reduced 
Development  & 
Operational  Cost 


0A 


Met 


Composable 

Components 


&  Signal 
Processing 
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Fusion 
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A  Partitioned  Portable  Architecture 


Application 
Software  r<j\  Software  | 
Component  ^1  Component  ^ 

U 


Application  ■  Application 
Software  l|  Software 
Component  m  Component 


AADL  Runtime  System 


Application 

Software 

Component 


Real-Time  Operating  System 
Embedded  Hardware  Target 


Strong  Partitioning 

•  Timing  Protection 

•  OS  Call  Restrictions 

•  Memory  Protection 


Interoperability/Portability 

•  Tailored  Runtime  Executive 

•  Standard  RTOS  API 

•  Application  Components 
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MetaH:  Proof  of  Concepts  for  AADL 

1991  DARPA  DSSA  program  begins 

1992  Partitioned  PFP  target  (Tartan  MAR/i960MC) 

1994  Multi-processor  target  (VME  i960MC) 

1995  Slack  stealing  scheduler 

1998  Portable  Ada  95  and  POSIX  middleware  configurations 
1998  Extensibility  through  MetaH-ACME  Mapping 

1998  Reliability  modeling  extension 

1999  Hybrid  automata  verification  of  core  middleware  modules 
Numerous  evaluation  and  demonstration  projects,  e.g. 

Missile  G&C  reference  architecture,  demos,  others  (AMCOM  SED) 

Hybrid  automata  formal  verification  (AFOSR,  Honeywell) 

Missile  defense  (Boeing) 

Fighter  guidance  SW  fault  tolerance  (DARPA,  CMU,  Lockheed-Martin) 

Incremental  Upgrade  of  Legacy  Systems  (AFRL,  Boeing,  Honeywell) 

Comanche  study  (AMCOM,  Comanche  PO,  Boeing,  Honeywell) 

Tactical  Mobile  Robotics  (DARPA,  Honeywell,  Georgia  Tech) 

Advanced  Intercept  Technology  CWE  (BMDO,  MaxTech) 

Adaptive  Computer  Systems  (DARPA,  Honeywell) 

Avionics  System  Performance  Management  (AFRL,  Honeywell) 

Ada  Software  Integrated  Development/Verification  (AFRL,  Honeywell) 

FMS  reference  architecture  (Honeywell) 

JSF  vehicle  control  (Honeywell) 

IFMU  reengineering  (Honeywell) 
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AADL  in  Context 


Research  ADLs 

•  MetaH 

-  Real-time,  modal,  system  farnTi 

-  Analysis  &  generation 

-  RMA  based  schedulim. 

•  Rapide,  Wright,  ..  >  Extension 

-  Behavioral  validation 

•  ADL  Interchange 

-  ACME  f  UML  Profile 

Industrial  Stp 

•  UML  2.0,  IJML-RT 

•  HOOD/STOOD 

•  SDL 


DARPA  Funded 
Research  since  1990 


AADL 

Extensible 

Real-time 

Dependable 


Airbus  &  ESA 
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AADL:  The  Language 

Components  with  precise  semantics 

-  Thread,  thread  group,  process,  system,  processor,  device, 
memory,  bus,  data,  subprogram 

Completely  defined  interfaces  &  interactions 

-  Data  &  event  flow,  synchronous  call/return,  shared  access 

-  End-to-End  flow  specifications 

Real-time  Task  Scheduling 

-  Supports  different  scheduling  protocols  incl.  GRMA,  EDF 

-  Defines  scheduling  properties  and  execution  semantics 

Modal,  configurable  systems 

-  Modes  to  model  transition  between  statically  known  states  & 
configurations 

Component  evolution  &  large  scale  development  support 
AADL  language  extensibility 
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Thread  Execution  Semantics 


Dispatch  protocols 
Nominal  &  recovery 
Fault  handling 
Resource  locking 
Mode  switching 
Initialization  &  finalization 


thread  abort 


I 


p  e  rfo  rm  i  n  g  t  h  re  a  d  initialization 


thread  unrecoverable 
error  detected 


complete  initiate  atio  n 
assert  tz  lnitialize_Deadline 
+Recover_Deadline  £  Hyper(l  flode) 


suspended 
awaitinq  mode 


abort([iro  cess) 
abort(pEocessor) 
abortj 


stop  (pro  cess]- 

stop(processor) 

stop(system) 

t  f—  o 


assert  f  s  initiaiizejJeaciiine  w 

+Recover_Deadline 

thread  unrecoverable 
error  dete :ted 
assert  fs  (Compute/Activate/Deactivate)_Deg  dline 
+Recover_Deadline 

complete  deactivation 
assert  fs  Deactr/ate_Deadline 
+Recover  Deadline 


thread  enter(Mode) 

dispatch  activation 
t  =  o 


performing  thread 
activation 


performing  thread 
deactivation 


|  stop  (pro  cess) 
stop(processor) 
stop(system) 


complete  activation 
assert  fs  Activate_Deadline 
+Recover  Deadline 


assert  Finalize_Deadline 


?  Enabled® 
dispatch  computation 
t  ^  0 


suspended 
awaiting  dispatch 
Wa/t_  For_  Disp  atch 


threaf  exit(Mode) 

\t  =  0 


complete  computation 
assert  Compute_Deadline 
+Recover  Deadline 


abort(pro  cess) 

abort(processor) 

abort(system) 


performing  thread  computation 
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Execution  Platform  Bindings 


A  1553 


Processor,  memory,  and 
connection  bindings 


constraints 
in  support  of 
redundant 


oyoioi  i  io 

- - 

7 

1  / 

/ 

i  z: _ : _ _ 

Mission 

Processor 

r 

Display 

Processor 

/ 

Display 

Processor 

1 - 

Pilot  Display 

L 

CoPilot  Display 

l _ 

1553  bus 

> 
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An  Avionics  System  Case  Study 


•  Migration  from  static  timeline  to  preemptive  scheduling 

-  Identified  issues  with  shared  variable  communication 

-  Migration  potential  from  polling  tasks  to  event-driven  tasks 

•  Flexibility,  predictability  &  efficiency  of  port-based 
communication 

-  Defined  communication  timing  semantics 

-  Support  for  deterministic  transfer  &  optimized  buffers 

•  Effectiveness  of  connection  &  flow  semantics 


-  Support  end-to-end  latency  analysis 

Analyzable  fault-tolerant  redundancy  patterns 

-  Orthogonal  architecture  view  without  model  clutter 


i 


©  2004  by  Carnegie  Mellon  University 


www.aadI.info 


12 


Qiriic^eMeUofl 

Software  Engineering  Institute 


A  Naive  Thread-based  Design 


Pr  1J _ .(20  Hz 

Periodic  I/O 


From  other 
Partitions 


Pr  2) - <20Hz 

Navigation 
Sensor 
Processing 


Potential  non-deterministic 
communication  due  to 
preemption 


C 


Potential  priority  inversion  due  to 
priority  assignment 


Pr  3) - (JOHz 

Integrated 
Navigation 


Guidance 

Processing 


PrJj, 

Tfight  Plan 
Processing 


Tasks  must  complete  within  frame 
=>  cyclic  executive  behavior 


Pr  9 

Aircraft 
Performance 
Calculation 
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Flight  Manager  in  AADL 


20Hz 


I  data 


Nav  signal  ^  Navigation 
r  Sensor 

I 

;  Processing 


Nav 
serlsor 
dat  i 


From 
Partitions 


Integrated— ^J|av 

Nav  sensoiT  Navigation  f 
data 


FF 


Nav  da 


atal 


Guidance 
Processing 


20Hz 


To 
9artitions 


1 


Guidance 


datfr 


Fuel  Flow 
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Data  Stream  Latency  Analysis 

•  Flow  specifications  in  AADL 

-  Properties  on  flows:  expected  &  actual  end-to-end  latency 

-  Properties  on  ports:  expected  incoming  &  estimated  output 
latency 

•  End-to-end  latency  contributors 

-Delayed  connections  result  in  sampling  latency 

-Immediate  periodic  &  aperiodic  sequences  result  in 
cumulative  execution  t 

•  Phase  delay  shift  & 

-  Noticeable  at  flow  merge  points 
-Variation  interpreted  as  noisy  signal  to  controller 

Latency  calculation  & 
jitter  accumulation  ^ 


me  latency 

oscillatio. 


Potential  hazard 


l) 


©  2004  by  Carnegie  Mellon  University 


www.aadI.info 


(iirucffie  Mellon 

Software  Engineering  Institute 

Other  Flow  Characteristics 

•  Miss  rate  of  data  stream 
-Accommodates  incomplete  sensor  readings 
-Allows  for  controlled  deadline  misses 

•  State  vs.  state  delta  communication 

-Data  reduction  technique 

-  Implies  requirement  for  guaranteed  delivery 

•  Data  accuracy 

-Reading  accuracy 
-Computational  error  accumulation 

•  Message  acknowledgment  semantics 

-  In  terms  of  flow  steps 
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Redundancy  Specification 


•  Redundancy  abstraction 

•  Co-location  constraints  on  execution  platform  binding 


Redundancy 
characteristics  as 
properties 


..  MFD  DM1 


..  MFD  DM2 


. .  MFD  DM3 


►  . .  MFD  DM4 
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Primary/Backup  Patterns 


Passive 
Backup 

'QvCSSI  i  7^ 


SS1.1 


SSI  .2 


r 


CSS1  Backup 


Hot  Standby 

: - s 

^CSSI  Primary 


SS1.1 


SSI  .2 


^  r 


CSS1  Backup^ 


SS1.1 


SSI. 2 


Continuous 
State  Exchange 


Voted  Output 
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Primary  Backup  Synchronization 

•  External  and  internal  mode  control 

•  Errors  reported  as  events 

•  Supports  reasoning  about  Primary/Backup  logic 
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AADL  Language  Extensions 

•  New  properties  through  property  sets 

•  Sublanguage  extension 

-  Annex  subclauses  expressed  in  an  annex-specific 
sublanguage 

•  Project-specific  language  extensions 

•  Language  extensions  as  approved  SAE  AADL 
standard  annexes 

•  Examples 

-  Reliability  modeling 

-  ARINC  653 

-  Behavior 

-  Constraint  sublanguage 
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Example  Annex  Extension 


THREAD  t 
FEATURES 

semi  :  DATA  ACCESS  semaphore; 
sem2  :  DATA  ACCESS  semaphore; 

ENDt; 

THREAD  IMPLEMENTATION  t.tl 
PROPERTIES 

Period  =>  13.96ms; 
cotre::  Priority  =>  1; 
cotre::Phase  =>  0.0ms; 
Dispatch_Protocol  =>  Periodic; 


COTRE  thread 
properties 


ANNEX  cotre. behavior  {** 

STATES 

s0,  si ,  s2,  s3,  s4,  s5,  s6,  s7,  s8  :  STATE; 
sO  :  INITIAL  STATE; 

TRANSITIONS 

sO  -[  ]->  si  {  PERIODIC_WAIT  }; 

si  -[  ]->  s2  {  COMPUTATIONS  ,9ms,  1 ,9ms) }; 

s2  -[  semi  .wait !  (-1 .0ms)  ]->  s3; 

s3  -[  ]->  s4  {  COMPUTATION(0.1  ms,  0.1  ms) }; 

s4  -[  sem2.wait !  (-1 .0ms)  ]->  s5; 

s5  -[  ]->  s6  {  COMPUTATION(2.5ms,  2.5ms) }; 

s6  -[  sem2. release  !  ]->  s7; 

s7  -[  ]->  s8  {  COMPUTATIONS  -5ms,  1 ,5ms) }; 

s8  -[  semi  .release  !]->  sO; 

**); 

END  t.tl; 


COTRE  behavioral  annex 
Courtesy  of 
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Reliability  Modeling  Approach 


Error  state  &  occurrence  model  as  AADL  extension 

-  Error  states  and  transitions 

-  Fault  events  &  occurrence  rates 

-  Error  propagation  rates 

-  Masking  of  subcomponent  and  propagation  errors 
Architecture  model  provides 

-  Dependency  information 

-  Isolation  analysis 

-  Basis  for  stochastic  process  model  generation 


Reflects  hazard  analysis, 
component  failure  modes  & 
effects  analysis 


dJail_stoppecT^> 


error  free 


observed  fault 


babbling 


propagate 

fail_stopped 


propagate 

babbling 
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An  XML-Based  AADL  Tool  Strategy 


Commercial 
Tool  like 
TimeWiz 


Filter  to  Markov 
Analysis 


Project-Specific 

In-House 
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Open  Source  AADL  Tool  Environment 

•  OSATEis 

-  Developed  by  the  Software  Engineering  Institute 

-  Available  at  under  a  no  cost  Common  Public  License  (CPL) 

-  Implemented  on  top  of  Eclipse  Release  3  (www.eclipse.org) 

-  Generated  from  an  AADL  meta  model  using  the  Eclipse 
Modeling  Framework  (EMF) 

-  A  textual  &  graphical  AADL  front-end  with  semantic  & 
XML/XMI  support 

-  Extensible  through  architecture  analysis  &  generation  plug-ins 

•  OSATE  offers 

-  Low  cost  entrypoint  to  the  use  of  SAE  AADL 


©  2004  by  Carnegie  Mellon  University 


www.aadI.info 


24 


(iiriw'jne  Mellon 

Software  Engineering  Institute 


SAE  AADL  and  OSATE:  Enablers  of 
Embedded  Systems  Research 


•  Industry  standard  architecture  modeling  notation  & 
model  interchange  format  facilitates 

-  Interchange  of  architecture  models  between  contractors  & 
subcontractors 

-  Common  architecture  model  for  non-functional  system 
property  analysis  from  different  perspectives 

-  In-house  prototyping  of  project  specific  architecture  analysis  & 
generation 

-  Architecture  research  with  access  to  industrial  models  & 
industry  exposure  to  research  results 
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